Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe
-
Size
456KB
-
MD5
5459785143b98aaac015c207defd9d76
-
SHA1
95a70b869265c0ee83bae62c099dc22a3adca73d
-
SHA256
123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda
-
SHA512
ea818a07bec196b1c4e652714827674c5356b1dbffc8a74ecb618368192e1c41eba64d4ebe8ecdc48ac06f0c5e30626af136159381152fd047473b6ab4da8dfb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRN:q7Tc2NYHUrAwfMp3CDRN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3276-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/588-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3260 pvvjv.exe 4144 fxxrfff.exe 5068 htnnbt.exe 3804 hnhtth.exe 1272 ffxrlfx.exe 3336 jjdvj.exe 1180 frxfrxx.exe 5056 7nnbtn.exe 1508 jvpjd.exe 5024 jddvj.exe 1064 1lxrffx.exe 3340 httnht.exe 2076 jddvj.exe 3572 1flrffx.exe 1200 bhthbt.exe 2396 flflfxr.exe 5052 vjvjj.exe 3664 3vvpd.exe 4276 bnnthh.exe 3820 7lrflff.exe 588 jjvjp.exe 4116 bttnbt.exe 4892 rlfrllf.exe 4460 7nhtnh.exe 5008 9ntnbt.exe 3356 vppdv.exe 4948 nnthbt.exe 3808 djpdv.exe 2488 lflfrlf.exe 3492 1xlfxrl.exe 4268 jdjdv.exe 2752 htthbn.exe 3408 vppjd.exe 2768 hbhtnn.exe 4220 vpvjp.exe 4680 frxllff.exe 4784 7thbtb.exe 2068 vvvjd.exe 5104 djpjd.exe 4516 xxrlxlf.exe 4584 hnnbth.exe 3500 pppjj.exe 3276 pjddv.exe 2712 lxrllll.exe 996 lfrllfr.exe 3936 5hbhtb.exe 1264 jjpdd.exe 2300 xllxlfl.exe 4432 lffxrlf.exe 4332 pvvvp.exe 5044 ppvpj.exe 2636 frxffff.exe 3816 hhtnbt.exe 1676 hhhhbb.exe 4564 vdjdj.exe 4856 rrlfffl.exe 4896 nnhbnh.exe 1584 ppjjd.exe 4576 pvdvd.exe 4992 xrxrrrr.exe 560 tnnhhb.exe 3572 dvvpp.exe 2600 lflfrrr.exe 4168 lffxrxx.exe -
resource yara_rule behavioral2/memory/3276-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/588-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-762-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3276 wrote to memory of 3260 3276 123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe 83 PID 3276 wrote to memory of 3260 3276 123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe 83 PID 3276 wrote to memory of 3260 3276 123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe 83 PID 3260 wrote to memory of 4144 3260 pvvjv.exe 84 PID 3260 wrote to memory of 4144 3260 pvvjv.exe 84 PID 3260 wrote to memory of 4144 3260 pvvjv.exe 84 PID 4144 wrote to memory of 5068 4144 fxxrfff.exe 85 PID 4144 wrote to memory of 5068 4144 fxxrfff.exe 85 PID 4144 wrote to memory of 5068 4144 fxxrfff.exe 85 PID 5068 wrote to memory of 3804 5068 htnnbt.exe 86 PID 5068 wrote to memory of 3804 5068 htnnbt.exe 86 PID 5068 wrote to memory of 3804 5068 htnnbt.exe 86 PID 3804 wrote to memory of 1272 3804 hnhtth.exe 87 PID 3804 wrote to memory of 1272 3804 hnhtth.exe 87 PID 3804 wrote to memory of 1272 3804 hnhtth.exe 87 PID 1272 wrote to memory of 3336 1272 ffxrlfx.exe 88 PID 1272 wrote to memory of 3336 1272 ffxrlfx.exe 88 PID 1272 wrote to memory of 3336 1272 ffxrlfx.exe 88 PID 3336 wrote to memory of 1180 3336 jjdvj.exe 89 PID 3336 wrote to memory of 1180 3336 jjdvj.exe 89 PID 3336 wrote to memory of 1180 3336 jjdvj.exe 89 PID 1180 wrote to memory of 5056 1180 frxfrxx.exe 90 PID 1180 wrote to memory of 5056 1180 frxfrxx.exe 90 PID 1180 wrote to memory of 5056 1180 frxfrxx.exe 90 PID 5056 wrote to memory of 1508 5056 7nnbtn.exe 91 PID 5056 wrote to memory of 1508 5056 7nnbtn.exe 91 PID 5056 wrote to memory of 1508 5056 7nnbtn.exe 91 PID 1508 wrote to memory of 5024 1508 jvpjd.exe 92 PID 1508 wrote to memory of 5024 1508 jvpjd.exe 92 PID 1508 wrote to memory of 5024 1508 jvpjd.exe 92 PID 5024 wrote to memory of 1064 5024 jddvj.exe 93 PID 5024 wrote to memory of 1064 5024 jddvj.exe 93 PID 5024 wrote to memory of 1064 5024 jddvj.exe 93 PID 1064 wrote to memory of 3340 1064 1lxrffx.exe 94 PID 1064 wrote to memory of 3340 1064 1lxrffx.exe 94 PID 1064 wrote to memory of 3340 1064 1lxrffx.exe 94 PID 3340 wrote to memory of 2076 3340 httnht.exe 95 PID 3340 wrote to memory of 2076 3340 httnht.exe 95 PID 3340 wrote to memory of 2076 3340 httnht.exe 95 PID 2076 wrote to memory of 3572 2076 jddvj.exe 96 PID 2076 wrote to memory of 3572 2076 jddvj.exe 96 PID 2076 wrote to memory of 3572 2076 jddvj.exe 96 PID 3572 wrote to memory of 1200 3572 1flrffx.exe 97 PID 3572 wrote to memory of 1200 3572 1flrffx.exe 97 PID 3572 wrote to memory of 1200 3572 1flrffx.exe 97 PID 1200 wrote to memory of 2396 1200 bhthbt.exe 98 PID 1200 wrote to memory of 2396 1200 bhthbt.exe 98 PID 1200 wrote to memory of 2396 1200 bhthbt.exe 98 PID 2396 wrote to memory of 5052 2396 flflfxr.exe 99 PID 2396 wrote to memory of 5052 2396 flflfxr.exe 99 PID 2396 wrote to memory of 5052 2396 flflfxr.exe 99 PID 5052 wrote to memory of 3664 5052 vjvjj.exe 100 PID 5052 wrote to memory of 3664 5052 vjvjj.exe 100 PID 5052 wrote to memory of 3664 5052 vjvjj.exe 100 PID 3664 wrote to memory of 4276 3664 3vvpd.exe 101 PID 3664 wrote to memory of 4276 3664 3vvpd.exe 101 PID 3664 wrote to memory of 4276 3664 3vvpd.exe 101 PID 4276 wrote to memory of 3820 4276 bnnthh.exe 102 PID 4276 wrote to memory of 3820 4276 bnnthh.exe 102 PID 4276 wrote to memory of 3820 4276 bnnthh.exe 102 PID 3820 wrote to memory of 588 3820 7lrflff.exe 103 PID 3820 wrote to memory of 588 3820 7lrflff.exe 103 PID 3820 wrote to memory of 588 3820 7lrflff.exe 103 PID 588 wrote to memory of 4116 588 jjvjp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe"C:\Users\Admin\AppData\Local\Temp\123ba5e09e2ad8ad912eadba747f89d1f3c7a17de385d6c8e3d9d2a433f67fda.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\pvvjv.exec:\pvvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\fxxrfff.exec:\fxxrfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\htnnbt.exec:\htnnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\hnhtth.exec:\hnhtth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\jjdvj.exec:\jjdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\frxfrxx.exec:\frxfrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\7nnbtn.exec:\7nnbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\jvpjd.exec:\jvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\jddvj.exec:\jddvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\1lxrffx.exec:\1lxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\httnht.exec:\httnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\jddvj.exec:\jddvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\1flrffx.exec:\1flrffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\bhthbt.exec:\bhthbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\flflfxr.exec:\flflfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\vjvjj.exec:\vjvjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\3vvpd.exec:\3vvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\bnnthh.exec:\bnnthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\7lrflff.exec:\7lrflff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\jjvjp.exec:\jjvjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
\??\c:\bttnbt.exec:\bttnbt.exe23⤵
- Executes dropped EXE
PID:4116 -
\??\c:\rlfrllf.exec:\rlfrllf.exe24⤵
- Executes dropped EXE
PID:4892 -
\??\c:\7nhtnh.exec:\7nhtnh.exe25⤵
- Executes dropped EXE
PID:4460 -
\??\c:\9ntnbt.exec:\9ntnbt.exe26⤵
- Executes dropped EXE
PID:5008 -
\??\c:\vppdv.exec:\vppdv.exe27⤵
- Executes dropped EXE
PID:3356 -
\??\c:\nnthbt.exec:\nnthbt.exe28⤵
- Executes dropped EXE
PID:4948 -
\??\c:\djpdv.exec:\djpdv.exe29⤵
- Executes dropped EXE
PID:3808 -
\??\c:\lflfrlf.exec:\lflfrlf.exe30⤵
- Executes dropped EXE
PID:2488 -
\??\c:\1xlfxrl.exec:\1xlfxrl.exe31⤵
- Executes dropped EXE
PID:3492 -
\??\c:\jdjdv.exec:\jdjdv.exe32⤵
- Executes dropped EXE
PID:4268 -
\??\c:\htthbn.exec:\htthbn.exe33⤵
- Executes dropped EXE
PID:2752 -
\??\c:\vppjd.exec:\vppjd.exe34⤵
- Executes dropped EXE
PID:3408 -
\??\c:\hbhtnn.exec:\hbhtnn.exe35⤵
- Executes dropped EXE
PID:2768 -
\??\c:\vpvjp.exec:\vpvjp.exe36⤵
- Executes dropped EXE
PID:4220 -
\??\c:\frxllff.exec:\frxllff.exe37⤵
- Executes dropped EXE
PID:4680 -
\??\c:\7thbtb.exec:\7thbtb.exe38⤵
- Executes dropped EXE
PID:4784 -
\??\c:\vvvjd.exec:\vvvjd.exe39⤵
- Executes dropped EXE
PID:2068 -
\??\c:\djpjd.exec:\djpjd.exe40⤵
- Executes dropped EXE
PID:5104 -
\??\c:\xxrlxlf.exec:\xxrlxlf.exe41⤵
- Executes dropped EXE
PID:4516 -
\??\c:\hnnbth.exec:\hnnbth.exe42⤵
- Executes dropped EXE
PID:4584 -
\??\c:\pppjj.exec:\pppjj.exe43⤵
- Executes dropped EXE
PID:3500 -
\??\c:\pjddv.exec:\pjddv.exe44⤵
- Executes dropped EXE
PID:3276 -
\??\c:\lxrllll.exec:\lxrllll.exe45⤵
- Executes dropped EXE
PID:2712 -
\??\c:\lfrllfr.exec:\lfrllfr.exe46⤵
- Executes dropped EXE
PID:996 -
\??\c:\5hbhtb.exec:\5hbhtb.exe47⤵
- Executes dropped EXE
PID:3936 -
\??\c:\jjpdd.exec:\jjpdd.exe48⤵
- Executes dropped EXE
PID:1264 -
\??\c:\xllxlfl.exec:\xllxlfl.exe49⤵
- Executes dropped EXE
PID:2300 -
\??\c:\lffxrlf.exec:\lffxrlf.exe50⤵
- Executes dropped EXE
PID:4432 -
\??\c:\pvvvp.exec:\pvvvp.exe51⤵
- Executes dropped EXE
PID:4332 -
\??\c:\ppvpj.exec:\ppvpj.exe52⤵
- Executes dropped EXE
PID:5044 -
\??\c:\frxffff.exec:\frxffff.exe53⤵
- Executes dropped EXE
PID:2636 -
\??\c:\hhtnbt.exec:\hhtnbt.exe54⤵
- Executes dropped EXE
PID:3816 -
\??\c:\hhhhbb.exec:\hhhhbb.exe55⤵
- Executes dropped EXE
PID:1676 -
\??\c:\vdjdj.exec:\vdjdj.exe56⤵
- Executes dropped EXE
PID:4564 -
\??\c:\rrlfffl.exec:\rrlfffl.exe57⤵
- Executes dropped EXE
PID:4856 -
\??\c:\nnhbnh.exec:\nnhbnh.exe58⤵
- Executes dropped EXE
PID:4896 -
\??\c:\ppjjd.exec:\ppjjd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\pvdvd.exec:\pvdvd.exe60⤵
- Executes dropped EXE
PID:4576 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe61⤵
- Executes dropped EXE
PID:4992 -
\??\c:\tnnhhb.exec:\tnnhhb.exe62⤵
- Executes dropped EXE
PID:560 -
\??\c:\dvvpp.exec:\dvvpp.exe63⤵
- Executes dropped EXE
PID:3572 -
\??\c:\lflfrrr.exec:\lflfrrr.exe64⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lffxrxx.exec:\lffxrxx.exe65⤵
- Executes dropped EXE
PID:4168 -
\??\c:\vvvjd.exec:\vvvjd.exe66⤵PID:4352
-
\??\c:\xxffxxr.exec:\xxffxxr.exe67⤵PID:3012
-
\??\c:\bththb.exec:\bththb.exe68⤵PID:3912
-
\??\c:\pjjvp.exec:\pjjvp.exe69⤵PID:4276
-
\??\c:\dvvpj.exec:\dvvpj.exe70⤵PID:760
-
\??\c:\rfrlffx.exec:\rfrlffx.exe71⤵PID:3820
-
\??\c:\thhbtn.exec:\thhbtn.exe72⤵PID:2760
-
\??\c:\1pjdd.exec:\1pjdd.exe73⤵PID:2484
-
\??\c:\ffxlxrl.exec:\ffxlxrl.exe74⤵PID:1900
-
\??\c:\lxfxfxr.exec:\lxfxfxr.exe75⤵PID:4068
-
\??\c:\nbhbtt.exec:\nbhbtt.exe76⤵PID:4732
-
\??\c:\djpjj.exec:\djpjj.exe77⤵PID:4980
-
\??\c:\lffxrrl.exec:\lffxrrl.exe78⤵PID:1648
-
\??\c:\xflfffx.exec:\xflfffx.exe79⤵PID:4412
-
\??\c:\hhhtnn.exec:\hhhtnn.exe80⤵PID:1848
-
\??\c:\jvjvp.exec:\jvjvp.exe81⤵PID:3456
-
\??\c:\1rrfrxl.exec:\1rrfrxl.exe82⤵PID:3004
-
\??\c:\9rxrffx.exec:\9rxrffx.exe83⤵
- System Location Discovery: System Language Discovery
PID:4852 -
\??\c:\htthtn.exec:\htthtn.exe84⤵PID:4952
-
\??\c:\dvpdv.exec:\dvpdv.exe85⤵PID:3584
-
\??\c:\lxfxffx.exec:\lxfxffx.exe86⤵PID:4904
-
\??\c:\lflrlff.exec:\lflrlff.exe87⤵PID:1060
-
\??\c:\btnhbb.exec:\btnhbb.exe88⤵PID:1976
-
\??\c:\pvddv.exec:\pvddv.exe89⤵PID:2768
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe90⤵PID:4220
-
\??\c:\htbtnh.exec:\htbtnh.exe91⤵PID:4444
-
\??\c:\dvvpj.exec:\dvvpj.exe92⤵PID:3284
-
\??\c:\ppvjd.exec:\ppvjd.exe93⤵PID:4696
-
\??\c:\lxlflll.exec:\lxlflll.exe94⤵PID:5104
-
\??\c:\nbnhbb.exec:\nbnhbb.exe95⤵PID:4324
-
\??\c:\dvppv.exec:\dvppv.exe96⤵PID:3580
-
\??\c:\lllxlfx.exec:\lllxlfx.exe97⤵PID:2728
-
\??\c:\fxfllrx.exec:\fxfllrx.exe98⤵PID:1988
-
\??\c:\7tthtn.exec:\7tthtn.exe99⤵PID:4400
-
\??\c:\dvdvp.exec:\dvdvp.exe100⤵PID:2000
-
\??\c:\5jdvj.exec:\5jdvj.exe101⤵PID:4572
-
\??\c:\3rxrffx.exec:\3rxrffx.exe102⤵PID:4024
-
\??\c:\hththb.exec:\hththb.exe103⤵PID:2072
-
\??\c:\vpvjd.exec:\vpvjd.exe104⤵PID:2448
-
\??\c:\rffrfxl.exec:\rffrfxl.exe105⤵PID:1692
-
\??\c:\bnthbb.exec:\bnthbb.exe106⤵PID:4744
-
\??\c:\3ppjj.exec:\3ppjj.exe107⤵PID:3904
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe108⤵PID:3940
-
\??\c:\lrllllf.exec:\lrllllf.exe109⤵PID:1644
-
\??\c:\bhnnhb.exec:\bhnnhb.exe110⤵PID:3348
-
\??\c:\ddjdv.exec:\ddjdv.exe111⤵PID:4692
-
\??\c:\pdpjd.exec:\pdpjd.exe112⤵PID:1064
-
\??\c:\lxfrllf.exec:\lxfrllf.exe113⤵PID:2980
-
\??\c:\3nnbhh.exec:\3nnbhh.exe114⤵PID:4464
-
\??\c:\bntnbb.exec:\bntnbb.exe115⤵PID:2468
-
\??\c:\jjjdd.exec:\jjjdd.exe116⤵PID:2076
-
\??\c:\3lrllfl.exec:\3lrllfl.exe117⤵PID:1372
-
\??\c:\tntnhn.exec:\tntnhn.exe118⤵PID:4368
-
\??\c:\1pddp.exec:\1pddp.exe119⤵PID:4960
-
\??\c:\pdjpd.exec:\pdjpd.exe120⤵PID:5040
-
\??\c:\httntb.exec:\httntb.exe121⤵PID:1200
-
\??\c:\tbhhhb.exec:\tbhhhb.exe122⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-